WinRAR Filename Spoofing Vulnerability Leading to Remote Code Execution

A filename spoofing vulnerability has been identified in WinRAR versions 4.11 prior to 5.00, and in WinRAR 3.80 through 3.91. This vulnerability occurs when WinRAR processes specially crafted ZIP archives, allowing an attacker to manipulate file names. The issue arises from discrepancies between the Central Directory and Local File Header entries in ZIP files. When a ZIP file is opened in WinRAR, the file name displayed to the user comes from the Central Directory, while the file extracted and executed is sourced from the Local File Header. This inconsistency enables attackers to spoof file names, misleading users into executing malicious payloads disguised as harmless files, potentially resulting in remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution, with the executed code running under the context of the user who opened the ZIP file in WinRAR.

Reproduction

To reproduce this vulnerability, create a ZIP archive that includes a file with a name spoofed to appear harmless, such as a text or image file. Ensure that the file is actually a malicious executable. When the ZIP file is opened in WinRAR, the spoofed name will be displayed, but the malicious file will be extracted and executed, leading to remote code execution.

Remediation

Users are advised to upgrade to WinRAR version 5.00 or later, which are not vulnerable to this issue. If it is necessary to use WinRAR 4.20, avoid opening files directly from ZIP archives and carefully check the names of unpacked files before opening them.